A vulnerability in ActionServlet.java that mishandles multithreaded access, allowing for code execution or DoS.

This item was patched in Struts 1.3.10.19fc. We have applied a static patch to our bundled version of Struts 1.3.10.17fc to address this. A source code analysis also revealed we are not utilizing the vulnerable classes.

A vulnerability in ActionServlet.java allows XSS by improperly restricting the Validator configuration.

This item was patched in Struts 1.3.10.19fc. We have applied a static patch to our bundled version of Struts 1.3.10.17fc to address this. A source code analysis also revealed we are not utilizing the vulnerable classes.

This vulnerability is listed against Struts 2, 2.3.x before 2.3.35 and 2.5.x before 2.5.17. This is a Remote Code Execution (RCE) vulnerability when using the alwaysSelectFullNamespace flagged true and actions that are configured with no namespace or a wildcard namespace.